I'd really appreciate review/feedback. I know this might seem like a
theoretical issue, but we're seeing real
world problems arising from how the stack memory is being allocated.
We use a custom allocator to wrap talloc. Talloc calls the system malloc and
requests an allocation of
the POSIX side, when creating a new context OpenSSL calls the standard
> OPENSSL_malloc and
> OPENSSL_free functions to allocate memory for the stack passed into
> makecontext.
>
> https://github.com/openssl/openssl/blob/1c0eede9827b0962f1d752fa4ab5d436fa039da4/crypto/async/arch/async_p
In our application we use the OpenSSL ASYNC_* API to jump out of verification
and session load/store callbacks.
On the POSIX side, when creating a new context OpenSSL calls the standard
OPENSSL_malloc and
OPENSSL_free functions to allocate memory for the stack passed into makecontext.
https
On Thu, Feb 10, 2022 at 11:48:06PM +, Ma Zhenhua wrote:
> Hi Team,
>
> My SSL/TLS server crashed with the following call stack.
> I'm using OpenSSL 1.1.1l. I compared 1.1.1l with 1.1.1 master branch and
> didn't find related fixes in crypto/asn1.
> Your advic
Hi Team,
My SSL/TLS server crashed with the following call stack.
I'm using OpenSSL 1.1.1l. I compared 1.1.1l with 1.1.1 master branch and didn't
find related fixes in crypto/asn1.
Your advice will be highly appreciated.
(gdb) 0 0x7f4cf7844ce6 in ASN1_OBJECT_free ()
On Tue, Aug 04, 2020 at 10:25:44AM +0200, Ander Juaristi wrote:
> /* Check the OCSP response here */
> ocsp_stap_length = SSL_get_tlsext_status_ocsp_resp(ssl, &ocsp_resp);
>
> certs = SSL_get_peer_cert_chain(ssl);
Side comment, if you end up sticking with post-handshake validation you
probably w
Hi list,
I'm implementing OCSP stapling for wget2 with OpenSSL. And I was
wondering if there's a better way.
The way I'm doing this currently is by letting the handshake complete
normally and check the received OCSP responses (stapled or not) at the
end. Then, if OCSP does not verify, I clos
On Fri, Dec 22, 2017 at 8:40 PM, Viktor Dukhovni wrote:
>
>
> > On Dec 22, 2017, at 11:33 PM, J Decker wrote:
> >
> > Very similar to OpenSSL 1.0.2, plus its own extensions. That's not
> exactly
> > "same".
> >
> > The same in that I can link/compile against either and not change any
> applicat
> On Dec 22, 2017, at 11:33 PM, J Decker wrote:
>
> Very similar to OpenSSL 1.0.2, plus its own extensions. That's not exactly
> "same".
>
> The same in that I can link/compile against either and not change any
> application code... not speaking of internals, just the API.
Well, that's not
On Fri, Dec 22, 2017 at 7:23 PM, Viktor Dukhovni wrote:
>
>
> > On Dec 22, 2017, at 10:21 PM, J Decker wrote:
> >
> > I would also suggest check out LibreSSL which uses the same API as
> OpenSSL
>
> Very similar to OpenSSL 1.0.2, plus its own extensions. That's not exactly
> "same".
>
The same
> On Dec 22, 2017, at 10:21 PM, J Decker wrote:
>
> I would also suggest check out LibreSSL which uses the same API as OpenSSL
Very similar to OpenSSL 1.0.2, plus its own extensions. That's not exactly
"same".
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.op
On Fri, Dec 22, 2017 at 4:44 AM, Jan Graczyk wrote:
> Hello OpenSSL-Users,
>
>
>
> I am actually evaluating OpenSSL stack software to be possibly used in my
> company next generation products. We would like to have a secure connection
> between our device TCP/IP stack
Jan Graczyk wrote:
> I am actually evaluating OpenSSL stack software to be possibly used in
> my company next generation products. We would like to have a secure
> connection between our device TCP/IP stack and web server which already
> has SSL server running. I am l
Hello OpenSSL-Users,
I am actually evaluating OpenSSL stack software to be possibly used in my
company next generation products. We would like to have a secure connection
between our device TCP/IP stack and web server which already has SSL server
running. I am looking for a benchmarks of
On 03/24/2017 06:46 PM, Dr. Stephen Henson wrote:
On Tue, Mar 21, 2017, lists wrote:
> On Tue, Mar 21, 2017, lists wrote:
>
>> [...]
>> I am exploring my options with OpenSSL and specifically I am trying
to manage the stacks for some custom objects.
>> [...]
>> What am I doing wrong here?
>
>
On 03/24/2017 06:46 PM, Dr. Stephen Henson wrote:
On Tue, Mar 21, 2017, lists wrote:
Sorry, I first posted this on the -dev list, likely inappropriate... now with
an update:
I am exploring my options with OpenSSL and specifically I am trying to manage
the stacks for some custom objects.
Curr
On Tue, Mar 21, 2017, lists wrote:
> Sorry, I first posted this on the -dev list, likely inappropriate... now with
> an update:
>
> I am exploring my options with OpenSSL and specifically I am trying to manage
> the stacks for some custom objects.
> Currently, I have this code (sort of) in the
Sorry, I first posted this on the -dev list, likely inappropriate... now with
an update:
I am exploring my options with OpenSSL and specifically I am trying to manage
the stacks for some custom objects.
Currently, I have this code (sort of) in the headers:
typedef struct myThingA_st
{
ASN1
Hi folks,
AFAIK Android javax.net.ssl classes uses openSSL/BoringSSL library at C/Low
level for any SSL/TLS.
https://developer.android.com/reference/javax/net/ssl/package-summary.html.
/**
- Provides the Java side of our JNI glue for OpenSSL. */
https://android.googlesource.com/platform/
Hello,
After getting an error in the verify callback of my server saying that the
presented client certificate is expired, I cannot clear the openssl error stack.
The reason I want to do that is because I want to be able to override (under
specific circumstances) the default OpenSSL behavior
Hi,
I would like know from which version onwards OpenSSL library supports IPv6/Dual
Stack implementation.
I have searched on net but could not able to find relevant answer.
Regards,
Shravan Mahendra
DISCLAIMER
==
This e-mail may contain privileged and confidential information which
ith them having their private structures. I have no
problems with opaque structures.
If I have to have it, I'd like to put it on the stack minimize the
cost of using it.
Its hard to claim safe harbor in "its private" when an application is
for
On Fri, Jan 17, 2014 at 09:57:00AM -0500, Jeffrey Walton wrote:
> > BN_CTX_init() (deprecated) initializes an existing uninitialized
> > BN_CTX. This should not be used for new programs. Use BN_CTX_new()
> > instead.
>
> Odd its still being used in the source code.
Not that odd. Libraries are fr
ed on the
stack.
> Indeed, https://www.openssl.org/docs/crypto/BN_CTX_new.html says
>
> BN_CTX_init() (deprecated) initializes an existing uninitialized BN_CTX. This
> should not be used for new programs. Use BN_CTX_new() instead.
>
Odd its still being used i
BN_CTX on stack (not BN_CTX*)
I'm trying to declare a BN_CTX on the stack (with a subsequent call to
BN_CTX_init) to stay out of the memory manager.
When I do, I get an error:
aggregate ‘BN_CTX’ has incomplete type and cannot be defined
I've included , so I'm kind of su
I'm trying to declare a BN_CTX on the stack (with a subsequent call to
BN_CTX_init) to stay out of the memory manager.
When I do, I get an error:
aggregate ‘BN_CTX’ has incomplete type and cannot be defined
I've included , so I'm kind of surprised I can't
compile. ( h
If one naively uses PKCS12_parse to extract key, certificate, and
certificate chain, and then iterates through the STACK_OF(X509) calling
SSL_CTX_add_extra_chain_cert (starting at sk_X509_value(ca, 0)) then the
chain will be in the opposite order to what's in the PKCS#12 file.
That seems consisten
implemented (it is a sequence):
*ASN1_SEQUENCE(MY_CUSTOM) =*
*{*
* ... // omited*
*
*
*} ASN1_SEQUENCE_END(MY_CUSTOM)*
*
*
*IMPLEMENT_ASN1_FUNCTIONS_const(MY_CUSTOM)*
*IMPLEMENT_ASN1_DUP_FUNCTION(MY_CUSTOM)*
The problem is that I can't use the stack functions like *
sk_MY_CUSTOM_new_nul
ust be empty before the TLS/SSL I/O
> > operation is attempted, or SSL_get_error() will not work reliably.
> >
> >
> > And don't I have to use the ERR_* functions to clear the error stack,
> > as mandated?
>
&
age:
>
>
> The current thread's error queue must be empty before the TLS/SSL I/O
> operation is attempted, or SSL_get_error() will not work reliably.
>
>
> And don't I have to use the ERR_* functi
nd don't I have to use the ERR_* functions to clear the error stack,
as mandated?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.
When dealing with the high level SSL_* functions, stick with
SSL_get_error() as per s_client.c and s_server.c.
If you are doing things on a lower level, you may need to deal with
the error stack yourself; but for people new to OpenSSL, just stick
with functions starting with SSL_* or BIO_*
On
I should have mentioned ERR_get_error() in my question, that's what's
most heavily on my mind. The question is if you have to call clear the
error stack with ERR_get_error() after every failed SSL call, even
failures that are often "not really failures." For example, my code
error(), if you don't want to. I don't necessarily recommend
it, but for simple and shortlived programs, this is an option. In my
experience, it's more a case of apparent memory leakage caused by the
error stack, not an instability.
On Fri, Feb 12, 2010 at 6:11 PM, Patrick M. Rut
As an OpenSSL newbie, I'm trouble that the man pages for SSL_write()
and SSL_read() don't stress that you should clear the error stack upon
a failed call. They suggest you check SSL_get_error(), but they make
no mention of clearing the error stack afterward, and I hear that
clearing
Hi,
I trying to use openssl stack to store structure, but I have an issue that
latest push always rewrites previous entries, so I have multiple same
entries.
Now I am not sure if I have the push or the print written wrong.
I have a following code:
Header file:
typedef struct MyStrucS_st
On Thu, Oct 1, 2009 at 6:07 PM, Dwight Schauer wrote:
> We are using openssl-32bit-0.9.8a-18.26 on SLES 10.2 (x86_64).
>
> This problem is only occurring on a very small percentage of our installs,
> and is not readily repeatable, but is always results in the same back trace.
>
> Program terminat
trace was clean and I could tell
where the problem was.
On an up to date OpenSUSE 10.3 install the back trace was clean and I could
tell where the problem was.
On a SLES 10.2 install however, the segfault in SSL_read function function
trashed the stack and made the back trace useless.
All
We are using openssl-32bit-0.9.8a-18.26 on SLES 10.2 (x86_64).
This problem is only occurring on a very small percentage of our installs, and
is not readily repeatable, but is always results in the same back trace.
Program terminated with signal 11, Segmentation fault.
#0 0xb7bf54e3 in ssl3_rea
Hello,
Sshd cores while trying to connect from an external system and
the analysis of the stack shows that the last function call was with
openssl.
#mdb core.sshd.1169.x.0.0.1244212472
mdb: warning: core file is from SunOS 5.8 Generic_117350-43; shared text
mappings may not match
Hi All!
When we are decoding the crash which we received with debug openssl
image built. We could see that in X509 stack there is an entry of CERT
present in the structure. I could see that this X509 stack is built on
the packet received in init_msg. We are running 0.9.7l I could see there
Hi Gurus,
I am not subscribed to this list so please reply to my personal email
id( [EMAIL PROTECTED]).
Our multi-threaded application is crashing and the pstack of the core
points to openssl. We r using openssl version 0.9.6g
and http://www.openssl.org/news/changelog.html points to a bug getting
On 2008.04.04 at 15:53:33 +0200, roberto calosino wrote:
> Hello,
>
> I'd like to know the difference between X509_STORE (X509_STORE_new) and
> STACK_OF(X509) (sk_X509_new).
> What kind of additional information contains a X509_STORE ?
Stack is generic data structure.
Hello,
I'd like to know the difference between X509_STORE (X509_STORE_new) and
STACK_OF(X509) (sk_X509_new).
What kind of additional information contains a X509_STORE ?
Thank you very much in advance.
_
Unbegrenzter Speicherplat
Hello,
I'd like to know the difference between X509_STORE (X509_STORE_new) and
STACK_OF(X509) (sk_X509_new).
What kind of additional information contains a X509_STORE ?
Thank you very much in advance.
_
Mit der Gruppen-SMS v
Dow! Ignore my post.
My system and the one of openssl-0.9.8b I am using have
different sized structures and part of my code (a sub-library) wasn't
building against it. Probably Fedora removing legally problematic code.
Darryl
__
are no memory
leaks, i.e. that I don't need to call HMAC_CTX_cleanup(). But the man
page indicates my usage of HMAC_Init() is depreciated so I'm trying to
convert to HMAC_Init_ex() but I'm finding my stack is getting destroyed.
Now I am trying to understand the HMAC_CTX_init()
Hi All,
I am using pSOS on ARM 7.0 LE board.
RSA_private_encrypt() which is needed to "signing the private key with
hash" is causing a "STACK CRASH" ?
The Function trace is :-
RSA_private_encrypt() -> RSA_eay_private_encrypt() -> loop of (
BN_mod_exp_mount() ->
Hi All,
I am running an application for ARM board with pSoS with application
stack size = 0xf000.
But when i tried to sign the my private key with hash with function
eay_get_x509sign() , it is causing satck dump with reason "Data Access
Abort" in function BN_mod_exp_moun
Hi everyone,
I'm developing the ASN.1 structure of the SCVP protocol but I obtain
an error (segmentation fault) when I try to get the certificates
stored into a stack.
I'm trying to decode the CertBundle field (SEQUENCE SIZE (1..MAX) OF
Certificate), and for this, I've the followi
Steve,
Thank you very much for your response. The reason I didn't use
sk_X509_num() instead of ((STACK *)ca)->num is because I will change the the
program to load libeay32.dll instead of linking my program with library
libeay32.lib. sk_X509_num() is a macro and it is the replac
after I called
> PKCS12_parse(..) I only got one certificate. I couldn't get the stack of CA
> certificates. The prototype of PKCS12_parse() is like this:
>
> PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
> STACK_OF(X509) **ca)
>
> After I cal
t the stack of CA
certificates. The prototype of PKCS12_parse() is like this:
PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) **ca)
After I called the function I only got pkey and cert. The content of *ca
was empty and PKCS12_parse only allocated memo
In message <[EMAIL PROTECTED]> on Sat, 28 Feb 2004 22:50:57 -0800 (PST), "S.Mehdi
Sheikhalishahi" <[EMAIL PROTECTED]> said:
sm_justice> Hi Group
sm_justice> I want to use sk_pop to retreive the last item in
sm_justice> stack I want to know that the what's th
Hi Group
I want to use sk_pop to retreive the last item in
stack I want to know that the what's the length of the
returned char*.For example What's the length of buf?
in the following code.
for(int i = 0;i < sk_num(skCerts);i++) {
buf = sk_pop(skCerts);
//? What's
On Fri, Feb 21, 2003, Austin Krauss wrote:
> Hello all, I've used the PKCS12_parse( ) function to obtain a stack of CA
>certificates from a PKCS12 buffer. Now I'd like to load these certificates as trusted
>CAs in my SSL_CTX object. My first attempt at this goes something
Hello all, I've used the PKCS12_parse( ) function
to obtain a stack of CA certificates from a PKCS12 buffer. Now I'd like to load
these certificates as trusted CAs in my SSL_CTX object. My first attempt at this
goes something like:
/* And add the CAs to our trusted stack
*/
In message <[EMAIL PROTECTED]> on Thu, 10 Oct 2002
14:34:31 -0700 (PDT), jing cui <[EMAIL PROTECTED]> said:
jingcui_80202> Now I have another problem: On DG AViiON machine the
jingcui_80202> "make test" failed with test_bn. I searched
jingcui_80202> openssl-users archive and found that there was
.....
Failed! bc: stack empty
*** Error code 2
Stop.
__
Do you Yahoo!?
Faith Hill - Exclusive Performances, Vid
oing about it wrong, but I can't figure it out.
> Any help would be most apprecianted. I'm trying to do this:
>
> given a STACK_OF(PKCS12_SAFEBAG) instance and a
> STACK_OF(X509_ATTRIBUTES) instance, I'm trying to find the
> safebag which has all of the attributes in
(PKCS12_SAFEBAG) instance and a
STACK_OF(X509_ATTRIBUTES) instance, I'm trying to find the
safebag which has all of the attributes in the given attribute stack. So,
here's the code pseudo-code (omitting return values):
void find_bag(STACK_OF(PKCS12_SAFEBAG) *bags,
STACK_OF(X509_ATTRIBUTES) *
61 matches
Mail list logo
